1

I have a hard drive was crypted by TryeCrypt,a custom edtion ,self input password,and i have found this 40-bytes password via MBR debugging, but can't mount it using standard version 7.1a.

what i want is get some files from this hard drive,good news is,this hard drive is bootable and it is a windows xp sp2,but a fullscreen app was auto startup and any input(keyboard,mouse etc.) was blocked,therefore,the only way to touch it is debugging it with vmware gdb stub.

The ida's remote dbg debugger is working very well, now I touch the guest's memory, edit it's codes, set breakpoints and the symbols was loaded.

so the question is,how can I start a process via patching the kernel?

What I thinking is,build a winddk project , implement a driver to do this with user APC, and then disassemble it to get it's assembler code ,and then patch it into guest via ida.

Any idea? thanks.

coder
  • 163
  • 2
  • 3
  • 12
  • Are you using the [checked/debug version of Windows](https://msdn.microsoft.com/en-us/library/windows/hardware/ff543450%28v=vs.85%29.aspx)? – Lynn Crumbling Jan 22 '16 at 17:07
  • So `.shell` is not an option, do I understand that right? – Thomas Weller Jan 22 '16 at 19:17
  • i'm using the vmware gdb debugger,so there's no command like .shell of windbg. – coder Jan 23 '16 at 02:56
  • 1
    to start a user mode process in the guest and control it via kernel debugger in the host use ntsd -d from the guest – blabb Jan 23 '16 at 07:06
  • Then you don't use WinDbg at all? The question is tagged WinDbg – Thomas Weller Jan 23 '16 at 17:24
  • Proper spacing and upper lower case formatting general helps readability. – hotzst Jan 24 '16 at 19:04
  • @blabb thanks but in my sistuation i can't touch guest at all,the file system was crypted by TrueCrypt (was modified as self-start,the password was coded in the MBR,and i have got the 40 bytes password via MBR debugging ,but i can't mount it properly using this password with TrueCrypt 7.1a standard version),after boot a fullscreen app will auto startup and block any input (keyboard,mouse etc.),so the vmware gdb is the only way to touch it. – coder Jan 26 '16 at 04:30
  • @Thomas Weller ya it just because i can not start a WinDbg server on the guest,the WinDbg was tagged cuz what i want is just like windbg does .and i think people know WinDbg may also know my sistuation.thanks any way. – coder Jan 26 '16 at 04:39
  • @ hotzst sorry about that, I will be more careful next time. – coder Jan 26 '16 at 04:41
  • @Lynn Crumbling no,system is not runing on debug mode. – coder Jan 26 '16 at 05:28

0 Answers0